Specify NSS Password Overrides

Specify the passwd override entries you want to use in place of the entries in the local /etc/passwd file. You can use these settings to provide fine-grain control of the users and groups who can use the computer and to override the user ID, group ID, default shell, or home directory for specific login accounts.

This group policy modifies the nss.passwd.override setting in the agent configuration file.

This group policy allows you to define filters to control access to a local computer. You can also use override controls to modify the information for specific fields in each /etc/passwd entry on the local computer. For example, you can override the user ID, primary group ID, default shell, or home directory for specific login accounts on the local computer without modifying the account entry itself.

The syntax for overriding passwd entries is similar to the syntax used for overriding NIS. You use + and – entries to allow or deny access for specific users on the local system. Additional fields correspond to the standard /etc/passwd fields separated by colons (:).

If you don’t specify override information for a field, the information from the local /etc/passwd file is used. You cannot specify override information for the password hash field, however. Any changes to this field in the override file are ignored and do not affect Delinea user passwords.

If you select Enabled for the Specify NSS password overrides group policy, you can type a comma-separated list of the override entries you want inserted into the override file, passwd.ovr, using the following format for each entry:

+zone_username:username:password:uid:gid:GECOS:home_directory:shell

-zone_username:username:password:uid:gid:GECOS:home_directory:shell

For example, you can specify entries similar to the following:

+mike:::::::/usr/local/ultrabash

+jane@arcade.org:jdoe::300:300:::

+@sysadmins:::::::

-ftp

+@staff:::::::

+@rejected-users:::767:767:::/sbin/nologin

In the example above, the @ symbol denotes an Active Directory name. The name can be an Active Directory group name, a Delinea zone name, or some other container name. You can also specify an Active Directory user principal name (UPN) instead of the zone name.

Entries in the override file are evaluated in order from first to last with the first match taking precedence. This means the system will only use the first entry that matches a particular user. For example, if the user cruz is a member of both the staff group and the rejected-users group and you have defined the override entries as listed in the example above, the cruz user account is allowed to log on to the computer because the staff entry is evaluated and matched before the rejected-users entry. If the order were reversed in the override file, the cruz`` account would be flagged as a rejected-users account and denied access.

It is important, therefore, to consider the order in which you list the override entries in the group policy configuration. The order you use to specify the entries in the group policy is the order used when the entries are inserted into the override file.

Changes to the NSS password override entries only affect the entries inserted through the group policy. You can also manually create or update override entries in the override file on any local computer, if needed. Changes made to manually inserted or edited entries do not affect the entries maintained through the NSS Overrides group policies.

For more information about overriding passwd entries, see the sample password override file /etc/centrifydc/passwd.ovr.